Cork Protocol Suffers $12M Exploit in Smart Contract Attack
As DeFi projects rebound, so too have the threats they face.
Cork Protocol became the latest casualty in a wave of renewed cyberattacks, losing over $12 million in a targeted smart contract exploit.
There was a security incident affecting the wstETH:weETH market at 11:23 UTC today.
All other Cork markets have been paused as a precaution, and no other markets have been impacted.
We are actively investigating the situation and will continue to provide updates as more details…
— Cork Protocol (@Corkprotocol) May 28, 2025
The breach, detected by cybersecurity firm Cyvers Alerts, occurred at 11:23:19 UTC and was traced to a wallet address ending in “762B.”
🚨ALERT🚨Our system has identified a $12M smart contract exploit, with @CorkProtocol potentially the victims.
A malicious contract was deployed on May 28, 2025 at 11:23:19 UTC by an address funded by 0x4771...762B (likely a service provider).
Just 16 minutes and 45 seconds… pic.twitter.com/72ScizbJPZ
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) May 28, 2025
According to Cork Protocol, the attacker exploited a vulnerability in the wstETH:weETH market—draining 3,761.87 Wrapped Staked Ether (wstETH), which was swiftly converted into Ether.
While the exploit was limited to this single trading pair, Cork pre-emptively paused all other markets as a security measure.
Cork Moves Fast to Limit Fallout After Exploit While Awaiting Publication of Post-Mortem Report
Shortly after news of the exploit broke, Cork Protocol founder Phil Fogel launched an internal investigation and froze all smart contracts to prevent further losses.
We are investigating a potential exploit on @Corkprotocol and are pausing all contracts. We will report back with more information.
— Phil Fogel ( 🦇, 🌳, 🍾) (@Philfog) May 28, 2025
Preliminary analysis suggests the attacker deployed a fraudulent smart contract tied to a spoofed token, allowing them to siphon off the protocol’s available wstETH.
Following the breach, the attacker’s wallet held 4,530.59 ETH—yet to be split across multiple addresses.
This lack of dispersion, coupled with the method used, has sparked speculation of potential ties to North Korean hacking strategies, which often involve delayed asset mixing.
The exploit capitalised on a pricing discrepancy: wstETH was trading at a premium of $3,207.73, well above ETH’s market price in the $2,500 range.
The timing was particularly disruptive—Cork had recently surged in popularity, boasting $23.8 million in total value locked and $563 million in decentralised trading volume for its Depeg Swap tokens, designed for risk hedging.
Since the attack, conflicting data has emerged regarding the protocol’s liquidity.
One metric suggests Cork lost over $1 billion from its wstETH vault, though the full scope of the impact on its Depeg Swap markets remains unclear.
Notably, Cork has no native token, limiting broader market contagion.
The team has promised a full post-mortem report to clarify the extent of the damage and next steps.
Security Incident Update
Today at 11:23 UTC, Cork Protocol experienced a security incident affecting the wstETH:weETH market, involving approximately 3,761.8 wstETH.
All other markets are unaffected and have currently been paused as the team works with auditors to ensure the… https://t.co/QTgOs0sg2b
— Cork Protocol (@Corkprotocol) May 28, 2025
Fogel thanked everyone for their support, reiterating that they are actively conducting a thorough post-mortem.
Thank you to everyone who has reached out with messages of support and offers to help. It’s been a challenging day, but seeing all the support from the crypto community has been heartwarming.
We are actively conducting a thorough post-mortem and, in the meantime, are… https://t.co/xsuNMKFfI0
— Phil Fogel ( 🦇, 🌳, 🍾) (@Philfog) May 28, 2025
Cork Protocol Joins Victims’ List Alongside Cetus and Others
The Cork Protocol breach marks yet another high-profile security incident in a crypto sector grappling with persistent vulnerabilities.
We're here to help safeguard the space. Let us know if there's anything we can do to support your investigation.
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) May 28, 2025
As hacks continue to erode consumer confidence, industry leaders are increasingly calling for more robust safeguards.
Over the past week alone, attacks on DeFi and DEX platforms have intensified, coinciding with rising liquidity across protocols.
One of the most notable breaches occurred on 22 May, when Cetus—a decentralised exchange built on the Sui network—was compromised, resulting in the theft of $223 million.
Although Sui validators were able to freeze a large portion of the stolen funds, the move ignited a heated debate over the network’s degree of centralisation and the proper role of validators during major crises.
In response, Cetus offered a $6 million bounty to white hat hackers willing to help recover the outstanding assets.
⚡️@SuiNetwork steps in to fully compensate Cetus users after $223M exploit.
- The hacker used fake tokens to drain real assets from liquidity pools
- Sui Foundation gave a loan to Cetus to compensate users
- Cetus will begin repaying users using the loan and its own reserves pic.twitter.com/pJXadNpCNx
— Crypto Coin Show (@CryptoCoinShow) May 28, 2025
A detailed post-mortem by blockchain security firm Dedaub revealed the exploit stemmed from a flaw in Cetus’ automated market maker (AMM) logic.
📢 New Progress Update – A Path Forward Together!
Since the incident, we have reflected deeply on the incident and its impact on our users, partners, and the broader ecosystem. We are deeply sorry and take this responsibility seriously. Today, we want to share a meaningful step…
— Cetus🐳 (@CetusProtocol) May 27, 2025
Hackers manipulated liquidity parameters by altering undetected values in the binary code’s most significant bits (MSBs)—a technical sleight of hand that enabled them to inject massive amounts of liquidity with minimal input and siphon off funds from multiple pools.
The incident underscores the urgent need for more sophisticated risk controls as DeFi platforms scale.
